ardamax | d63de465624796397a0aa147400f7e12c2ab0d5edca384cbd9b424c8b0a02e16

General

Target

f141189e5399f7017ddccb9819399d6d_JaffaCakes118.exe
Size

2.1MB
MD5

f141189e5399f7017ddccb9819399d6d
SHA1

895b3e076487b92d550de926b147b19474d55ea8
SHA256

d63de465624796397a0aa147400f7e12c2ab0d5edca384cbd9b424c8b0a02e16
SHA512

f5e2bd12688d83e4ed0d377548022a088fc5dae6b29f2888c0155dc62b310f2f628eaacf5e2c1bc0413f1c93ec23083ef62286fa2b5ba9af83b12810470d04a0
SSDEEP

49152:SY3jbmFa55o8HIxSm7+JWrERE/67pBDvo:SYzaFiH6Su+Jf66jA

Score

10^/10

ardamax keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f141189e5399f7017ddccb9819399d6d_JaffaCakes118.exeMRP.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	f141189e5399f7017ddccb9819399d6d_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	MRP.exe

Executes dropped EXE 1 IoCs

Processes:

MRP.exe

pid process

4844 MRP.exe
Loads dropped DLL 2 IoCs

Processes:

MRP.exe

pid process

4844 MRP.exe
4844 MRP.exe

pid	process
4844	MRP.exe

pid	process
4844	MRP.exe
4844	MRP.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

MRP.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MRP Start = "C:\\ProgramData\\XERULY\\MRP.exe"	MRP.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

MRP.exe

pid process

4844 MRP.exe
4844 MRP.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

MRP.exe

pid process

4844 MRP.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

MRP.exe

description pid process

Token: SeIncBasePriorityPrivilege 4844 MRP.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

MRP.exe

pid process

4844 MRP.exe
4844 MRP.exe
4844 MRP.exe
4844 MRP.exe

pid	process
4844	MRP.exe
4844	MRP.exe

pid	process
4844	MRP.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	4844	MRP.exe

pid	process
4844	MRP.exe
4844	MRP.exe
4844	MRP.exe
4844	MRP.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

f141189e5399f7017ddccb9819399d6d_JaffaCakes118.exeMRP.exe

description	pid	process	target process
PID 4884 wrote to memory of 4844	4884	f141189e5399f7017ddccb9819399d6d_JaffaCakes118.exe	MRP.exe
PID 4884 wrote to memory of 4844	4884	f141189e5399f7017ddccb9819399d6d_JaffaCakes118.exe	MRP.exe
PID 4884 wrote to memory of 4844	4884	f141189e5399f7017ddccb9819399d6d_JaffaCakes118.exe	MRP.exe
PID 4844 wrote to memory of 592	4844	MRP.exe	cmd.exe
PID 4844 wrote to memory of 592	4844	MRP.exe	cmd.exe
PID 4844 wrote to memory of 592	4844	MRP.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\f141189e5399f7017ddccb9819399d6d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f141189e5399f7017ddccb9819399d6d_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4884

C:\ProgramData\XERULY\MRP.exe
"C:\ProgramData\XERULY\MRP.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4844

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\PROGRA~3\XERULY\MRP.exe > nul
3⤵
PID:592

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\XERULY\MRP.00
Filesize
2KB

MD5
314b674c28b9b5647c98e4676c8738fc

SHA1
9f7247a2ae75b1e53eb3cfde78606ffb8f92bc9a

SHA256
c78544e5e75d837221b6594884979509ad53c2b024d01eaa7177f128972107d2

SHA512
00e720b42b7a6cc5097ce03dbc94d20bddcb037ba556c3d1508a8185f6b477842c8c91b1fd300125e8094c7561d1ea3eda63bf2ebcd782789323733513dc772f

Download Submit
C:\ProgramData\XERULY\MRP.01
Filesize
79KB

MD5
c3fd0cd65ed63f682a5bf98aa90e774f

SHA1
90da7bb0256b0b1c9130078f91996c8e768522ea

SHA256
d5dd6bf3f86b7bc87241eac5d5a937d2dd4bb2dd0e6238a6fab4f54d16f6ba95

SHA512
9b7ddae51ef758b350c4d137341f366f23378e290267eae3f6fded0a63c61c97d27f3ba1fb2555bc4648d1442ba157abbc3d15a2d30a75cb809850497497e6e5

Download Submit
C:\ProgramData\XERULY\MRP.02
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\ProgramData\XERULY\MRP.exe
Filesize
2.6MB

MD5
2bafb32eee4371dfea195eac8e1cb926

SHA1
15fba7eb3a98790778be5d238c37dfbe5c6b93b7

SHA256
6dc4e4712ec2b46c0400a69887fa195757050c415931a622a18bbd4fad8c2f30

SHA512
bf34a316d96d5cf20688716aba67180d87faed27eb5e2fac1822e86e88a8eb3bdbf4367513cf4417fd8d1acd1b8e421043675f0a6da7e5c9a6f027ad03e5a6c9

Download Submit
memory/4844-16-0x0000000004100000-0x0000000004119000-memory.dmp

Filesize
100KB

Download
memory/4844-12-0x00000000007D0000-0x00000000007D1000-memory.dmp

Filesize
4KB

Download
memory/4844-17-0x00000000007D0000-0x00000000007D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads